Scarab-XTBL Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 21,495 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 3 |
| First Seen: | October 10, 2025 |
| Last Seen: | April 27, 2026 |
| OS(es) Affected: | Windows |
The Scarab-XTBL Ransomware is an encryption ransomware Trojan that belongs to the Amnesia Ransomware family of encryption ransomware Trojans. The Scarab-XTBL Ransomware is a variant of the Scarab Ransomware, a variant in the Amnesia family that was first observed in June of 2017. Several versions of this specific strain of ransomware have been released near to each other, possibly as a way to help this and similar threats avoid detection. There is very little to differentiate the Scarab-XTBL Ransomware from the numerous other ransomware Trojans that are being used to infect and extort computer users currently. The Scarab-XTBL Ransomware, like the many other threats of this type, is delivered to victims using spam email messages and by lying to computer users. Once installed, the Scarab-XTBL Ransomware will take the victim's files hostage through the use of an encryption algorithm and then request the payment of a ransom to be provided with a decryption key that is the only way to restore the affected files.
Table of Contents
What the Scarab-XTBL Ransomware will Do with Your Files
The Scarab-XTBL Ransomware is delivered to the victims through corrupted Microsoft Word files containing embedded macro scripts, attached to spam email messages. The Scarab-XTBL Ransomware uses the AES encryption to make the victim's files unreachable. The files encrypted by the Scarab-XTBL Ransomware will be identified with the '.xtbl' extension, which is added to the affected file's name. The Scarab-XTBL Ransomware will encrypt the user-generated files, which may include several file types. Some file types that are typically encrypted by the Scarab-XTBL Ransomware attack include:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The Scarab-XTBL Ransomware’s Ransom Note
The Scarab-XTBL Ransomware will often run as 'Win98.exe' or 'systems.exe' on the affected computers, trying to hide its presence. The Scarab-XTBL Ransomware delivers its ransom note in the form of a text file named 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt' that is dropped on the infected computer's desktop. This text file contains the following message:
'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS
email - joxel@cock.li
Your files are now encrypted!
BEGIN PERSONAL IDENTIFIER
[RANDOM CHARACTERS]
END PERSONAL IDENTIFIER
All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: joxel@cock.li'
However, following the instructions contained in the Scarab-XTBL Ransomware ransom note or accepting to pay the demanded ransom is not a wise decision. Instead, infected users should restore the affected files from a backup copy.
Protecting Your Data from the Scarab-XTBL Ransomware
The best protection against threats like the Scarab-XTBL Ransomware is to have file backups on detached, portable hard drives and cloud storage networks with protected logins. Having file backups allows computer users to restore their files without having to negotiate with the con artists to recover some crucial lost data. File backups, combined with a good security program, can help halt most ransomware Trojan infections.
Analysis Report
General information
| Family Name: | Trojan.ReverseShell.FS |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
0f4949b55c3cbf209461a530a6ae3da7
SHA1:
a1deee94f0cbbaeb32b112d27afe474a45979184
SHA256:
26088790DA07FC0CD155B72DF3903EC3DA01ACA16B97296B2A7173FC4050A631
File Size:
6.94 MB, 6942720 bytes
|
|
MD5:
33660dc592c3561dd2343e7529de0de4
SHA1:
34eefc3226ccddb809c9db9139206d6308b5046d
SHA256:
5ECE59929275B60A7A6A50F321404DAC9DEBCAE02C5DFF65B34D0E81B2AFAD26
File Size:
7.07 MB, 7070720 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have security information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
File Traits
- No Version Info
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 12,409 |
|---|---|
| Potentially Malicious Blocks: | 103 |
| Whitelisted Blocks: | 12,268 |
| Unknown Blocks: | 38 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Brute.PVF
- BruteForce.O
- ReverseShell.PBC
- Trojan.Downloader.Gen.EU
- Trojan.Downloader.Gen.HD
Show More
- Trojan.Downloader.Gen.KP
- Trojan.Downloader.Gen.QF
- Trojan.ReverseShell.Gen.AR
- Trojan.ReverseShell.Gen.BK
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\belltower-run.log | Read Attributes,Synchronize,Read Control,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\dmvdflaplm.exe | Synchronize,Write Data |
| c:\users\user\downloads\rpxghdbbvt.exe | Synchronize,Write Data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\belltower\config::api_key | 龟욑욕손閖銕雄쏃閔슓隞쒟龒黂隐釁隔엁슒隒麔욐鋄엁龕鞓업鋃鞐싂閔鋅 | RegNtPreCreateKey |
| HKCU\software\belltower\config::seller_name | RegNtPreCreateKey | |
| HKCU\software\belltower\config::api_key | 쎐솟요얖麕쎔鋃麟龐鋅龓쒐鿂釃쒗鏁쒓싆슖閖웁쏅醒铃鿅웄쓁醐솟쓅얔麟 | RegNtPreCreateKey |
| HKCU\software\belltower\config::seller_name | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Network Winsock2 |
|
| Network Info Queried |
|
| Network Winsock |
|
